| Author | Messages | |
danielcariglia
Posts:0
 | | 03/03/2006 9:59 AM |
| Hello,
A few years
back we had changed the way we disabled AD user accounts from disabling the
account to restricting logon hours (restricted 24x7) and hiding from GAL. We did this because mail sent to disabled
accounts was getting rejected and the sender was getting a NDR. Also,
management would come back to us a week later and want the ex-employees email
correspondence after they left the company.
At that time we were a 2000 SP2 domain with exchange 2000, currently we
are a 2003 SP1 domain with exchange 2003.
Presently,
we have become aware that mail sent to accounts with the disabled box checked
arrives in the mailbox. My question
is¦did this behavior change when you upgrade to a 2003 AD/exchange 2003 or at some service pack
level? Were we wrong in our original assumption that
email would not flow to disabled accounts a few years back? The following MSFT article seems to support
my assumption that disabled accounts will generate a NDR unless modified.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319047
Any
thoughts on this, thank you in advance.
Dan
� | | | |
| AD000001270
Posts:0
| | 03/03/2006 11:18 AM |
| I believe this issue really
depended on the permissions on the mailbox and the synchronization of the
security attributes. I can't recall but I believe it did behave a bit different
in Exchange 2000.
I use NOMAS.exe to fix
and sync the permissions when I enable/disable accounts. All my resource
mailboxes are disabled and have self set as associated external account and have
an msexchangMasterAccountSID
set.
Ion
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Cariglia, DanielSent: Fri 3/3/2006 1:58 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Disabled
Accounts/Mail accepted
Hello,
A few years back we had changed the way we disabled AD user accounts from
disabling the account to restricting logon hours (restricted 24x7) and hiding
from GAL. We did this because mail sent to disabled accounts
was getting rejected and the sender was getting a NDR. Also, management would
come back to us a week later and want the ex-employees email correspondence
after they left the company. At that time we were a 2000 SP2
domain with exchange 2000, currently we are a 2003 SP1 domain with exchange
2003.
Presently, we have become aware that mail sent to accounts with the
disabled box checked arrives in the mailbox. My question
is¦did this behavior change when you upgrade to a 2003
AD/exchange 2003 or at some service pack level?
Were we wrong in our original assumption that email
would not flow to disabled accounts a few years back? The
following MSFT article seems to support my assumption that disabled accounts
will generate a NDR unless modified.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319047
Any thoughts on this, thank you in advance.
Dan | | | |
| deji
Posts:151
| | 03/04/2006 11:05 AM |
| The problem with using NoMAS is that you are always chasing your tails. You
have to remember to run it often, and in the meantime, your exchange server
is being crippled by eventid 9548 . The "fix" for this "issue" is more
process than technical.
You need to work out a termination process with your management and HR. You
need to establish how long you need to retain an ex-employee's account and
"stuffs" for before you whack them. Because I can not usually whack them
right away, this is what I usually do:
Move the account to a special "terminated" OU. Remove the account from ALL
groups, add it to a special "terminated" group, make "terminated" group the
primary group of the account. Set a stupidly long, non-intelligent,
auto-generated password on the account. Xmerge the mailbox contents and hide
the mailbox. Put in a comment on the account specifying the date all this was
done.
The "special" OU and Group have "special" policies - for example, no dial-in,
no console login, no over-the-network access to resources, etc - applied to
them.
Then I have a "cleanup" script that goes in weekly and deprovision any
terminated account that has been terminated longer than x number of
days/weeks/months.
The above may not be an efficient process. But it is a process. You need to
work out one that works for your environment.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Ion Gott
Sent: Fri 3/3/2006 3:17 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Disabled Accounts/Mail accepted
I believe this issue really depended on the permissions on the mailbox and
the synchronization of the security attributes. I can't recall but I believe
it did behave a bit different in Exchange 2000.
I use NOMAS.exe to fix and sync the permissions when I enable/disable
accounts. All my resource mailboxes are disabled and have self set as
associated external account and have an msexchangMasterAccountSID set.
Ion
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Cariglia, Daniel
Sent: Fri 3/3/2006 1:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Disabled Accounts/Mail accepted
Hello,
A few years back we had changed the way we disabled AD user
accounts from disabling the account to restricting logon hours (restricted
24x7) and hiding from GAL. We did this because mail sent to disabled
accounts was getting rejected and the sender was getting a NDR. Also,
management would come back to us a week later and want the ex-employees email
correspondence after they left the company. At that time we were a 2000 SP2
domain with exchange 2000, currently we are a 2003 SP1 domain with exchange
2003.
Presently, we have become aware that mail sent to accounts with
the disabled box checked arrives in the mailbox. My question is...did this
behavior change when you upgrade to a 2003 AD/exchange 2003 or at some
service pack level? Were we wrong in our original assumption that email
would not flow to disabled accounts a few years back? The following MSFT
article seems to support my assumption that disabled accounts will generate a
NDR unless modified.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319047
Any thoughts on this, thank you in advance.
Dan
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|